Principal Can Arbitrarily Expel Students During Session, Violating Graduation Invariants
Summary
The expel() function allows the principal to remove any student during an active session without constraint. This action can be taken even if the student has already met all graduation requirements, directly violating core system invariants and undermining the integrity of the upgrade process.
Vulnerability Details
The expel() function checks that the school is currently in session (inSession == true), but imposes no restrictions on when or why a student can be expelled:
According to the stated invariants:
A student must receive 4 weekly reviews
A student must not be upgraded unless they meet
cutOffScoreGraduation and upgrade only happen via
graduateAndUpgrade()at session end
If a student fulfills all requirements but is expelled just before the session ends, they are unjustly excluded from the graduateAndUpgrade() process, despite meeting all academic conditions. This introduces arbitrary governance risk and breaks the assumed graduation flow.
Impact
Violation of graduation logic: Students who have met all conditions can still be forcefully removed before upgrade.
Principal abuse: The system gives unilateral authority to the principal with no oversight or time restriction.
Inconsistency with invariants: The design explicitly assumes all eligible students are evaluated and upgraded at session end.
Tools Used
Manual code review
Cross-check with design invariants
Recommendations
Restrict expulsion to only students who have not met the score requirements.
Lead Judging Commences
can expel unfairly before upgrade
Principal can unfairly expel a student before upgrade
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.